The software giant Oracle acknowledged reports that several of its clients have received blackmail emails from hackers demanding money to prevent the release of stolen information. 

Oracle CSO Rob Duhart announced Thursday (2nd Oct) evening that the company is looking into allegations from the Clop ransomware group, which claims to have breached several Oracle E-Business Suite clients. 

“Our ongoing investigation has found the potential use of previously identified vulnerabilities that are addressed in the July 2025 Critical Patch Update,” Duhart said. “Oracle reaffirms its strong recommendation that customers apply the latest Critical Patch Updates.” 

The company provided no details on which specific vulnerabilities from its July update were compromised, nor did it clarify whether the exploitation occurred after the patch was released. 

Mandiant and the Google Threat Intelligence Group (GTIG) issued a joint warning on Wednesday evening about a campaign potentially linked to the notorious Clop ransomware gang. Clop is known for its high-profile data theft operations, often targeting file transfer tools. The organizations confirmed to Recorded Future News via email that they are actively tracking the activity. 

The current hacker campaign involves data the criminals claim to have exfiltrated from the Oracle E-Business Suite. According to incident responders, this widely-used business platform is significant because it houses applications that manage essential corporate operations such as finance, HR, and supply chain functions. 

According to Genevieve Stark, a senior cybercrime investigator at GTIG, the campaign is estimated to have started on September 29, with multiple related investigations currently underway. The threat campaign involves extortion emails demanding ransom to prevent the publication or dark web sale of the stolen data. Meanwhile, the Cybersecurity and Infrastructure Security Agency (CISA) refused to confirm if it is providing assistance to companies receiving these extortion threats.